February 23, 2023
Set out below are Frequently Asked Questions (FAQs) regarding implementation of title II (Transparency) of division BB of the Consolidated Appropriations Act, 2021 (the CAA). These FAQs have been prepared jointly by the Departments of Labor, Health and Human Services, and the Treasury (collectively, the Departments). Like previously issued FAQs (available at https://www.dol.gov/agencies/ebsa/about-ebsa/our-activities/resource-center/faqs and http://www.cms.gov/cciio/resources/fact-sheets-and-faqs/index.html), these FAQs answer questions from stakeholders to help people understand the law and promote compliance.
Prohibition on Gag Clauses on Price and Quality Information in Provider Agreements
Internal Revenue Code (Code) section 9824, Employee Retirement Income Security Act (ERISA) section 724, and Public Health Service (PHS) Act section 2799A-9(a)(1), as added by section 201 of title II (Transparency) of division BB of the CAA, prohibit group health plans and health insurance issuers offering group health insurance coverage from entering into an agreement with a health care provider, network or association of providers, third-party administrator (TPA), or other service provider offering access to a network of providers that would directly or indirectly restrict a plan or issuer from—
- providing provider-specific cost or quality of care information or data, through a consumer engagement tool or any other means, to referring providers, the plan sponsor, participants, beneficiaries, or enrollees, or individuals eligible to become participants, beneficiaries, or enrollees of the plan or coverage;
- electronically accessing de-identified claims and encounter information or data for each participant, beneficiary, or enrollee in the plan or coverage upon request and consistent with the privacy regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Genetic Information Nondiscrimination Act of 2008 (GINA), and the Americans with Disabilities Act of 1990 (ADA), including, on a per claim basis—
- financial information, such as the allowed amount, or any other claim-related financial obligations included in the provider contract;
- provider information, including name and clinical designation;
- service codes; or
- any other data element included in claim or encounter transactions; or
- sharing information or data described in (1) and (2), or directing such information be shared, with a business associate, as defined in 45 CFR 160.103, consistent with applicable privacy regulations promulgated pursuant to section 264(c) of HIPAA, GINA, and the ADA.
PHS Act section 2799A-9(a)(2) prohibits health insurance issuers offering individual health insurance coverage from entering into an agreement with a health care provider, network or association of providers, or other service provider offering access to a network of providers that would directly or indirectly restrict the issuer from—
- providing provider-specific price or quality of care information, through a consumer engagement tool or any other means, to referring providers, enrollees, or individuals eligible to become enrollees of the plan or coverage; or
- sharing, for plan design, plan administration, and plan, financial, legal, and quality improvement activities, data described in (1) with a business associate, consistent with the privacy regulations promulgated pursuant to section 264(c) of HIPAA, GINA, and the ADA.
Plans and issuers must annually submit an attestation of compliance with these requirements to the Departments. These provisions became effective December 27, 2020 (the date of enactment of the CAA).
On August 20, 2021, the Departments issued an FAQ stating that the statutory language of section 201 of title II of division BB of the CAA is self-implementing and that the Departments did not expect to issue regulations pertaining to gag clauses at that time. The FAQ clarified that, until any further guidance is issued, plans and issuers are expected to implement the requirements prohibiting gag clauses using a good faith, reasonable interpretation of the statute. The FAQ further stated, however, that the Departments intend to issue guidance explaining how plans and issuers should submit their attestations of compliance, and that the Departments anticipate that they would begin collecting attestations in 2022.1
Concurrently with these FAQs, the Departments are launching a website for submitting attestations. The Departments are also issuing instructions, a system user manual, and a Reporting Entity Excel Template for plans and issuers to submit the required attestation. These materials are available at: https://www.cms.gov/cciio/programs-and-initiatives/other-insurance-protections/gag-clause-prohibition-compliance. Plans and issuers should use the website at https://hios.cms.gov/HIOS-GCPCA-UI to satisfy the requirement to submit an annual attestation of compliance. The deadlines for the initial attestation and all subsequent attestations of compliance are detailed below.
Q1: What is a "gag clause"?
In general, for the purposes of Code section 9824, ERISA section 724, and PHS Act section 2799A-9, a "gag clause" is a contractual term that directly or indirectly restricts specific data and information that a plan or issuer can make available to another party. Gag clauses in this context might be found in agreements between a plan or issuer and any of the following parties:
- a health care provider;
- a network or association of providers;
- a TPA; or
- another service provider offering access to a network of providers.
Q2: How do Code section 9824, ERISA section 724, and PHS Act section 2799A-9 prohibit group health plans and issuers offering group health insurance from entering into agreements that include gag clauses?
The Code, ERISA and PHS Act generally prohibit group health plans and issuers offering group health insurance from entering into agreements with providers, TPAs, or other service providers that include language that would constitute a "gag clause," specifically:
- restrictions on the disclosure of provider-specific cost or quality of care information or data to referring providers, the plan sponsor, participants, beneficiaries, or enrollees, or individuals eligible to become participants, beneficiaries, or enrollees of the plan or coverage;
- restrictions on electronic access to de-identified claims and encounter information or data for each participant, beneficiary, or enrollee upon request and consistent with the privacy regulations promulgated pursuant to section 246(c) of HIPAA, GINA, and the ADA; and
- restrictions on sharing information or data described in (1) and (2), or directing that such information or data be shared, with a business associate, as defined in 45 CFR 160.103, consistent with applicable privacy regulations.
For example, if a contract between a TPA and a group health plan states that the plan will pay providers at rates designated as "Point of Service Rates," but the TPA considers those rates to be proprietary and therefore includes language in the contract stating that the plan may not disclose the rates to participants or beneficiaries, that language prohibiting disclosure would be considered a prohibited gag clause.
As another example, if a contract between a TPA and a plan provides that the plan sponsor's access to provider-specific cost and quality of care information is only at the discretion of the TPA, that contractual provision would be considered a prohibited gag clause. Plans and issuers must ensure that their agreements with health care providers, networks or associations of providers, or other service providers offering access to a network of providers do not contain these or other provisions that violate the prohibition on gag clauses under Code section 9824, ERISA section 724, and PHS Act section 2799A-9.
However, a health care provider, network or association of providers, or other service provider may place reasonable restrictions on the public disclosure of this information.
Q3: How does PHS Act section 2799A-9 prohibit the contracts of issuers offering individual health insurance coverage from including gag clauses?
Similar to the gag clause provisions applicable to group health plans and health insurance issuers offering group health insurance coverage, PHS Act section 2799A-9(a)(2) prohibits issuers offering individual health insurance from entering into an agreement with a health care provider, network or association of providers, or other service providers offering access to a network of providers that directly or indirectly restricts the issuer from—
- disclosing of provider-specific price or quality of care information or data to referring providers, enrollees, or individuals eligible to become enrollees of the plan or coverage; and
- sharing with a business associate, as defined in 45 CFR 160.103, the information described in (1) for plan design, plan administration, and plan, financial, legal, and quality improvement activities, consistent with the privacy regulations promulgated pursuant to section 264(c) of HIPAA, GINA, and the ADA.
Q4: Is a term in a contract a prohibited gag clause if that term functions to restrict (but does not explicitly restrict) a plan or issuer from providing, accessing, or sharing the information described in Code section 9824, ERISA section 724, and PHS Act section 2799A-9?
Yes. To the extent a term in a contract, either directly or indirectly, prevents a plan or issuer from providing, accessing, or sharing the information or data, as provided for under the statute, that term in the contract violates the gag clause prohibitions and is prohibited under Code section 9824, ERISA section 724, and PHS Act section 2799A-9.
Q5: What is the Gag Clause Prohibition Compliance Attestation?
Under the Transparency provisions of the CAA, plans and issuers must annually submit to the Departments an attestation that the plan or issuer is in compliance with Code section 9824, ERISA section 724, and PHS Act section 2799A-9, as applicable (Gag Clause Prohibition Compliance Attestation).
Q6: What is the due date for the Gag Clause Prohibition Compliance Attestation?
The first Gag Clause Prohibition Compliance Attestation is due no later than December 31, 2023, covering the period beginning December 27, 2020, or the effective date of the applicable group health plan or health insurance coverage (if later), through the date of attestation.
Subsequent attestations, covering the period since the last preceding attestation, are due by December 31 of each year thereafter.
Q7: How should plans and issuers submit an attestation?
Plans and issuers should visit https//hios.cms.gov/HIOS-GCPCA-UI to submit the Gag Clause Prohibition Compliance Attestation. The annual attestation will satisfy the parallel requirements under the Code, ERISA, and the PHS Act, as applicable. Plans and issuers can also visit https://www.cms.gov/cciio/programs-and-initiatives/other-insurance-protections/gag-clause-prohibition-compliance to review instructions and a system user manual for submitting attestations, as well as an Excel template for providing information required as part of the attestation.
Plans and issuers that do not submit their attestation, as required under Code section 9824, ERISA section 724, and PHS Act section 2799A-9, by the deadlines above may be subject to enforcement action.
Q8: Which entities are required to submit a Gag Clause Prohibition Compliance Attestation?
The following entities are required to submit a Gag Clause Prohibition Compliance Attestation:
- health insurance issuers offering group health insurance coverage;
- health insurance issuers offering individual health insurance coverage, including student health insurance coverage and individual health insurance coverage issued through an association; and
- fully-insured and self-insured group health plans, including ERISA plans,2 non-Federal governmental plans;3 and church plans subject to the Code.4
Additionally, these requirements apply regardless of whether a plan or coverage is considered to be a grandfathered5 or grandmothered health plan.6 However, a plan or issuer otherwise attesting under Code section 9824, ERISA section 724, and PHS Act section 2799A-9, as applicable, is not required to attest with regard to any coverage that it offers that is an excepted benefit.7
Entities that are not required to attest include:
- plans or issuers offering only excepted benefits;
- issuers offering only short-term, limited-duration insurance;
- Medicare and Medicaid plans;
- state Children's Health Insurance Program (CHIP) plans;
- the TRICARE program;
- the Indian Health Service program; and
- Basic Health Program Plans.
The Departments will not enforce the requirement to submit a Gag Clause Prohibition Compliance Attestation against plans that consist solely of health reimbursement arrangements (HRAs), or other account-based group health plans, as described in 26 CFR 54.9815-2711(d)(6)(i), 29 CFR 2590.715-2711(d)(6)(i), and 45 CFR 147.126(d)(6)(i). HRAs and other account-based group health plans are generally group health plans that are subject to the group market reforms in the Code, ERISA, and the PHS Act, including Code section 9824, ERISA section 724, and PHS Act section 2799A-9. However, the Departments will not enforce the attestation requirement against plans that consist solely of HRAs or other account-based group health plans because the benefit design of such plans precludes the need to enter into agreements with providers, therefore, making the concepts related to the prohibited gag clauses inapplicable.
Additionally, the Departments expect that HRAs and other account-based group health plans typically will be integrated with other coverage that will be required to submit an attestation (such as individual coverage HRAs, for which the issuer of the individual coverage will be required to submit an attestation) or will be otherwise exempt from these requirements (such as excepted benefit HRAs). Therefore, the Departments are exercising enforcement discretion with respect to HRAs (including individual coverage HRAs) and other account-based group health plans until the Departments can exempt through rulemaking such plans from the requirements of Code section 9824, ERISA section 724, and PHS Act section 2799A-9. This approach is consistent with many other requirements that apply to group health plans and the existing applicability provisions in 26 CFR 54.9816-2T, 29 CFR 2590.716-2, and 45 CFR 149.20 with respect to other requirements of division BB of the CAA.
Q9: Can another entity, such as a pharmacy benefit manager (PBM), managed behavioral health organization, TPA, or other service provider attest on behalf of a self-insured group health plan or a health insurance issuer?
Yes. Self-insured and partially self-insured plans may satisfy the requirement to provide a Gag Clause Prohibition Compliance Attestation by entering into a written agreement under which the plan's service provider(s) (such as a TPA, including an issuer acting as a TPA) will attest on the plan's behalf. However, if a self-insured plan (including a partially self-insured plan) chooses to enter into such an agreement with the plan's service provider(s), the legal requirement to provide a timely attestation remains with the plan.
An issuer may satisfy the requirement to provide an attestation on behalf of other issuers in the same controlled group within the meaning of Code section 414.8 Additionally, an issuer that contracts with a third party to enter into provider agreements on the issuer's behalf may enter into a written agreement under which that third party will attest on the issuer's behalf. If an issuer chooses to enter into such an agreement, the legal requirement to provide an attestation remains with the issuer.
Q10: Can an issuer that both offers group health insurance and acts as a TPA for self-insured group health plans submit a single Gag Clause Prohibition Compliance Attestation on behalf of itself, its fully-insured group health plan policyholders, and its self-insured group health plan clients? Will the submission requirement be satisfied for the issuer and its group health plan policyholders and clients?
Yes. An issuer that both offers group health insurance and acts as a TPA for self-insured group health plans may submit a single Gag Clause Prohibition Compliance Attestation on behalf of itself, its fully-insured group health plan policyholders, and its self-insured group health plan clients. However, to avoid duplication, the Departments recommend that issuers acting as TPAs (or other service providers) and attesting on behalf of self-insured group health plans first coordinate with each plan to ensure that the group health plan does not intend to attest on its own behalf for some or all of its provider agreements.
With respect to fully-insured group health plans, the group health plan and the issuer are each required to annually submit a Gag Clause Prohibition Compliance Attestation. However, when the issuer of a fully-insured group health plan submits a Gag Clause Prohibition Compliance Attestation on behalf of the plan, the Departments will consider the plan and issuer to have satisfied the attestation submission requirement.
Q11: Who may attest to compliance on behalf of a plan or issuer?
A plan or issuer may authorize any appropriate individual within the organization, such as the plan administrator of a group health plan, to attest on behalf of the plan or issuer. A service provider that has been provided the authority to make the attestation on behalf of a plan or issuer, such as a TPA attesting on behalf of its clients, may authorize any appropriate personnel within the organization to make the attestation.
Q12: Are there any technical requirements for using the Gag Clause Prohibition Compliance Attestation user interface?
Yes. To access the user interface, a user must first obtain an authentication code by going to the Gag Clause Prohibition Compliance Attestation website at https://hios.cms.gov/HIOS-GCPCA-UI and selecting "Don't have a code or forgot yours?" The user will be asked to provide the user's e-mail address. The system will generate an authentication code and send it to the e-mail address provided. The user can then return to the Gag Clause Prohibition Compliance Attestation website, enter the e-mail address and code where indicated, and select "Login to the system" to proceed with submitting the attestation.
Q13: What should an interested party do if they suspect a violation of the gag clause prohibition or related requirements regarding attestation?
Interested parties with concerns about a plan's or issuer's compliance with the gag clause prohibition may contact the No Surprises Help Desk at 1-800-985-3059, submit a complaint at https://nsa-idr.cms.gov/providercomplaints/s/, or contact the applicable state authority. For ERISA plans, individuals may contact DOL for help at www.askebsa.dol.gov or 1-866-444-3272.
Footnotes
- See FAQs about Affordable Care Act and Consolidated Appropriations Act, 2021 Implementation Part 49 (Aug. 20, 2021), Q7, available at https://www.dol.gov/sites/dolgov/files/ebsa/about-ebsa/our-activities/resource-center/faqs/aca-part-49.pdf and https://www.cms.gov/CCIIO/Resources/Fact-Sheets-and-FAQs/Downloads/FAQs-Part-49.pdf.
- For these purposes, the term "ERISA plan" refers to an employee welfare benefit plan, as defined in ERISA section 3(1), established or maintained by a private-sector employer or by a private-sector employee organization (such as a union), or both, that provides medical care for employees or their dependents directly or through insurance, reimbursement, or otherwise, that is covered by Title I pursuant to ERISA section 4(a) and is not specifically exempt under section 4(b). See Code section 9832(a) ERISA section 733(a), PHS Act section 2791(a).
- PHS Act section 2791(d)(8)(C) defines the term "non-Federal governmental plan" as a governmental plan that is not a Federal governmental plan. Examples of non-Federal governmental plans include plans that are sponsored by states, counties, school districts, and municipalities. See https://www.cms.gov/CCIIO/Programs-and-Initiatives/Health-Insurance-Market-Reforms/nonfedgovplans.
- Code section 414(e) defines the term "church plan" as a plan established and maintained for its employees (or their beneficiaries) by a church or by a convention or association of churches which is exempt from tax under Code section 501, and includes certain plans of church-affiliated principal-purpose organizations. See also ERISA section 3(33) and Advocate Health Care Network v. Stapleton, 581 U.S 468 (2017).
- In general, health coverage is considered grandfathered if it was in existence and has continuously provided coverage for someone (not necessarily the same person, but at all times at least one person) since March 23, 2010, provided the plan (or its sponsor) or the issuer has not taken certain actions resulting in the plan relinquishing grandfathered status. See 26 CFR 54.9815-1251(a), 29 CFR 2590.715-1251(a), and 45 CFR 147.140(a).
- Grandmothered plans, sometimes referred to as transitional plans, are non-grandfathered health insurance coverage in the individual and small group market that were issued prior to January 1, 2014, and for which CMS announced it will not take enforcement action with respect to certain market requirements under certain conditions. See Bulletin: Extended Non-Enforcement of Affordable Care Act-Compliance With Respect to Certain Policies (Mar. 23, 2022), available at https://www.cms.gov/files/document/extension-limited-non-enforcement-policy-through-calendar-year-2023-and-later-benefit-years.pdf.
- Excepted benefits are described in Code section 9832(c), ERISA section 733(c), and PHS Act section 2791(c); 26 CFR 54.9831-1, 29 CFR 2590.732, 45 CFR 146.145, and 45 CFR 148.220.
- Any controlled group of corporations or trades or businesses under common control within the meaning of Code section 414(b) or (c) and related regulations.